MINOR: ssl: add 'force-sslv3' and 'force-tlsvXX' statements on bind.
These options force the SSL lib to use the specified protocol. They
are complentary to no-tlsv*/no-sslv3.
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 66ce224..ea89e99 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -6819,6 +6819,23 @@
an established connection while the proxy will only see it in SYN_RECV. This
option is only supported on TCPv4/TCPv6 sockets and ignored by other ones.
+force-sslv3
+ This option enforces use of SSLv3 only on SSL connections instanciated from
+ this listener. SSLv3 is generally less expensive than the TLS counterparts
+ for high connection rates. See also "force-tls*", "no-sslv3", and "no-tls*".
+
+force-tlsv10
+ This option enforces use of TLSv1.0 only on SSL connections instanciated from
+ this listener. See also "force-tls*", "no-sslv3", and "no-tls*".
+
+force-tlsv11
+ This option enforces use of TLSv1.1 only on SSL connections instanciated from
+ this listener. See also "force-tls*", "no-sslv3", and "no-tls*".
+
+force-tlsv12
+ This option enforces use of TLSv1.2 only on SSL connections instanciated from
+ this listener. See also "force-tls*", "no-sslv3", and "no-tls*".
+
gid <gid>
Sets the group of the UNIX sockets to the designated system gid. It can also
be set by default in the global section's "unix-bind" statement. Note that
@@ -6911,7 +6928,8 @@
This setting is only available when support for OpenSSL was built in. It
disables support for SSLv3 on any sockets instanciated from the listener when
SSL is supported. Note that SSLv2 is forced disabled in the code and cannot
- be enabled using any configuration option.
+ be enabled using any configuration option. See also "force-tls*",
+ and "force-sslv3".
no-tls-tickets
This setting is only available when support for OpenSSL was built in. It
@@ -6921,21 +6939,24 @@
no-tlsv10
This setting is only available when support for OpenSSL was built in. It
- disables support for TLSv10 on any sockets instanciated from the listener when
- SSL is supported. Note that SSLv2 is forced disabled in the code and cannot
- be enabled using any configuration option.
+ disables support for TLSv1.0 on any sockets instanciated from the listener
+ when SSL is supported. Note that SSLv2 is forced disabled in the code and
+ cannot be enabled using any configuration option. See also "force-tls*",
+ and "force-sslv3".
no-tlsv11
This setting is only available when support for OpenSSL was built in. It
- disables support for TLSv11 on any sockets instanciated from the listener when
- SSL is supported. Note that SSLv2 is forced disabled in the code and cannot
- be enabled using any configuration option.
+ disables support for TLSv1.1 on any sockets instanciated from the listener
+ when SSL is supported. Note that SSLv2 is forced disabled in the code and
+ cannot be enabled using any configuration option. See also "force-tls*",
+ and "force-sslv3".
no-tlsv12
This setting is only available when support for OpenSSL was built in. It
- disables support for TLSv12 on any sockets instanciated from the listener when
- SSL is supported. Note that SSLv2 is forced disabled in the code and cannot
- be enabled using any configuration option.
+ disables support for TLSv1.2 on any sockets instanciated from the listener
+ when SSL is supported. Note that SSLv2 is forced disabled in the code and
+ cannot be enabled using any configuration option. See also "force-tls*",
+ and "force-sslv3".
prefer-server-ciphers
This setting is only available when support for OpenSSL was built in. It
diff --git a/include/types/listener.h b/include/types/listener.h
index aba864c..6a0e060 100644
--- a/include/types/listener.h
+++ b/include/types/listener.h
@@ -102,6 +102,11 @@
#define BC_SSL_O_NO_TLSV11 0x0004 /* disable TLSv11 */
#define BC_SSL_O_NO_TLSV12 0x0008 /* disable TLSv12 */
/* 0x000F reserved for 'no' protocol version options */
+#define BC_SSL_O_USE_SSLV3 0x0010 /* force SSLv3 */
+#define BC_SSL_O_USE_TLSV10 0x0020 /* force TLSv10 */
+#define BC_SSL_O_USE_TLSV11 0x0040 /* force TLSv11 */
+#define BC_SSL_O_USE_TLSV12 0x0080 /* force TLSv12 */
+/* 0x00F0 reserved for 'force' protocol version options */
#define BC_SSL_O_NO_TLS_TICKETS 0x0100 /* disable session resumption tickets */
#endif
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index af02a69..af90018 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -494,6 +494,18 @@
ssloptions |= SSL_OP_NO_TLSv1_2;
if (bind_conf->ssl_options & BC_SSL_O_NO_TLS_TICKETS)
ssloptions |= SSL_OP_NO_TICKET;
+ if (bind_conf->ssl_options & BC_SSL_O_USE_SSLV3)
+ SSL_CTX_set_ssl_version(ctx, SSLv3_server_method());
+ if (bind_conf->ssl_options & BC_SSL_O_USE_TLSV10)
+ SSL_CTX_set_ssl_version(ctx, TLSv1_server_method());
+#if SSL_OP_NO_TLSv1_1
+ if (bind_conf->ssl_options & BC_SSL_O_USE_TLSV11)
+ SSL_CTX_set_ssl_version(ctx, TLSv1_1_server_method());
+#endif
+#if SSL_OP_NO_TLSv1_2
+ if (bind_conf->ssl_options & BC_SSL_O_USE_TLSV12)
+ SSL_CTX_set_ssl_version(ctx, TLSv1_2_server_method());
+#endif
SSL_CTX_set_options(ctx, ssloptions);
SSL_CTX_set_mode(ctx, sslmode);
@@ -1242,9 +1254,50 @@
p++;
}
+ return 0;
+}
+
+/* parse the "force-sslv3" bind keyword */
+static int bind_parse_force_sslv3(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
+{
+ conf->ssl_options |= BC_SSL_O_USE_SSLV3;
+ return 0;
+}
+
+/* parse the "force-tlsv10" bind keyword */
+static int bind_parse_force_tlsv10(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
+{
+ conf->ssl_options |= BC_SSL_O_USE_TLSV10;
return 0;
}
+/* parse the "force-tlsv11" bind keyword */
+static int bind_parse_force_tlsv11(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
+{
+#if SSL_OP_NO_TLSv1_1
+ conf->ssl_options |= BC_SSL_O_USE_TLSV11;
+ return 0;
+#else
+ if (err)
+ memprintf(err, "'%s' : library does not support protocol TLSv1.1", args[cur_arg]);
+ return ERR_ALERT | ERR_FATAL;
+#endif
+}
+
+/* parse the "force-tlsv12" bind keyword */
+static int bind_parse_force_tlsv12(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
+{
+#if SSL_OP_NO_TLSv1_2
+ conf->ssl_options |= BC_SSL_O_USE_TLSV12;
+ return 0;
+#else
+ if (err)
+ memprintf(err, "'%s' : library does not support protocol TLSv1.2", args[cur_arg]);
+ return ERR_ALERT | ERR_FATAL;
+#endif
+}
+
+
/* parse the "no-tls-tickets" bind keyword */
static int bind_parse_no_tls_tickets(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
{
@@ -1365,6 +1418,10 @@
{ "crt", bind_parse_crt, 1 }, /* load SSL certificates from this location */
{ "crt-ignore-err", bind_parse_ignore_err, 1 }, /* set error IDs to ingore on verify depth == 0 */
{ "ecdhe", bind_parse_ecdhe, 1 }, /* defines named curve for elliptic curve Diffie-Hellman */
+ { "force-sslv3", bind_parse_force_sslv3, 0 }, /* force SSLv3 */
+ { "force-tlsv10", bind_parse_force_tlsv10, 0 }, /* force TLSv10 */
+ { "force-tlsv11", bind_parse_force_tlsv11, 0 }, /* force TLSv11 */
+ { "force-tlsv12", bind_parse_force_tlsv12, 0 }, /* force TLSv12 */
{ "no-sslv3", bind_parse_no_sslv3, 0 }, /* disable SSLv3 */
{ "no-tlsv10", bind_parse_no_tlsv10, 0 }, /* disable TLSv10 */
{ "no-tlsv11", bind_parse_no_tlsv11, 0 }, /* disable TLSv11 */